A new ransomware cyberattack similar to last month's WannaCry is now spreading in Europe, Russia and the USA.
At least 80 major private companies have been infected, including the big pharmaceutical group Merck, the shipping company from Denmark AP Moller-Maersk which manages one out of seven containers shipped globally, the British ad firm WPP, Saint-Gobain in France, and the Russian companies Evraz and Rosneft.
PetyaWrap, as security experts labeled it, uses the same NSA-created exploit: Eternal Blue.
In fact, this new ransomware includes:
- A modified EternalBlue exploit
- A vulnerability in a third-party Ukrainian software product
- A second SMB network exploit
With Wannacry, malware developers had made mistakes such as including an online killswitch -checking whether a domain name was registered or not-. This time, the malware is much more sophisticated, with no such mistake present.
However, there seems to be a local killswitch. Scroll to the Prevention section of the article to learn more.
When Petya infects a machine, it encrypts the Master File Table (MFT), rendering the Master Boot Record (MBR) unreadable. It then displays a DOS-like ransom message.
The ransom asked is $300 worth of Bitcoins, the crypto currency. The receiving Bitcoin wallet's transaction can be followed here.
The antivirus maker Avast reports 12,000 attack attempts over the day.
It is not yet clear how the cryptovirus works, but it seems to make use of PsExec, a tool from SysInternals to replace telnet, and make remote control of machines easier.
What makes this new strain even more virulent is the fact that "New #Petya uses #LSADump to get Admin password and infect all network. There is no need for #EternalBlue vulnerable PCs. #infosec" according to a tweet by Group-IB
If you are infected, do not pay. Posteo, the email provider of the address associated with the ransomware, blocked the address.
Here are the facts that we can contribute to “PetrWrap/Petya”:
– Since midday it is no longer possible for the blackmailers to access the email account or send emails.
– Sending emails to the account is no longer possible either. -Posteo
Point of entry
How did the cryptovirus begin? It most likely started with phishing emails sent to targets in Ukraine, written both in Ukrainian and Russian. These emails apparently contained word documents with infected macros along with infected PDF documents.
If your files are encrypted, there's nothing that can be done as of now.
But actions can still be taken to stop the infection.
- Patch all Windows systems against the MS17-010 vulnerabilities.
- Enforce firewalls both at the network level and host level to block TCP/445 traffic from untrusted sources. If possible, block 445 inbound to all Windows computers and servers exposed to the harshness of the internet.
- Make sure you have up-to-date backups of your important systems and files. Backups are the only complete solution to avoid ransomware-induced data loss. Backup with the 3-2-1 strategy: 3 copies of your data, 2 of which are local but on different devices, and at least 1 copy offsite (cloud provider like CrashPlan, SpiderOak, BackBlaze... or a colocated box).
To quickly stop Petya right now - MS17-010 patch AND blocking ADMIN$ via GPO will stop lateral movement on WMI and PSEXEC.#Petya— Binary Defense (@Binary_Defense) 27 juin 2017
Cybereason security researcher Amit Serper also discovered a way to prevent the new Petya variant from running with this local killswitch: creating a file in c:\windows called perfc without any extension:
98% sure that the name is is perfc.dll Create a file in c:\windows called perfc with no extension and #petya #Nopetya won't run! SHARE!! https://t.co/0l14uwb0p9— Amit Serper (@0xAmit) 27 juin 2017
Update: a wiper?
Several things may indicate this was not really a ransomware, but rather something much worse : a wiper.
The flawed ransom collection process - only one email address - is a strong argument for this hypothesis.
While Avira "can’t confirm the wiping behavior", Ars Technica is pretty confident the outbreak was in fact a wiper, based on analysis by Kaspersky researchers.
However, for F-Secure researchers, EternalPetya is not a wiper. An example of a real wiper would be Shamoon. With EternalPetya we're not in the same case, as the ransomware is almost functional. The encryption has been confirmed working. The problem is the absence of private key to decrypt the file decryption key.
Note that the malware does not include this decryption functionality. A separate decryptor tool would need to be provided to victims. - F-Secure
How can you protect yourself from ransomware and wipers? Besides backups, a behavior-based antivirus is essential to detect never-seen-before samples. Antivirus vendors use several techniques to detect new malware. In computer security, machine learning is a solution to this 0-day problem. Bitdefender, and Avira use such AI implementations.
Here is how Olivia from Avira explains the nitty-gritty of their 0-day detection process:
NightVision is one of the Avira machine learning systems. It is trained on all the Windows binaries we know as either malware or clean. It identifies how similar a new, unknown file is to our malware or clean file sets. In this specific case, there was no other malware sample that was very similar, but still close enough to other malware to classify it as such.
When a malware or clean sample is not detected correctly by this machine learning system, the system retrains the information within a couple of minutes. This means that the Avira Protection Cloud will correctly classify all other new files, that are similar to the newly trained one.
We will see this type of AI-assisted malware detection more often in the future, as antivirus vendors like Bitdefender start focusing on the threats of tomorrow, instead of staying stuck in the past with the signature model.
TL;DR: the presence of bugs in the ransom part of the ransomware does not automatically make EternalPetya a wiper. It could be just a buggy ransomware, or even a ransomware-in-development. Update and backup!